The mayor of New Bedford, Massachusetts, took the unusual step this week of holding a press conference to describe a recent ransomware attack and explain why the city decided not to pay the $5.3 million ransom that was demanded.

Mayor Jon Mitchell described how the attackers first demanded $5.3 million in ransom, and the city countered with a $400,000 payment that its insurer had agreed to pay. When attackers did not respond to that offer, the city decided to continue moving forward with restoring systems and data through backups, the mayor said.

Mitchell said the city decided to negotiate with the attackers to give its IT department enough time to see if it could restore systems on its own.

"Ryuk has been implicated in attacks on government, education and private-sector networks across the globe, and these attacks have been escalating in their frequency, technical sophistication and the size of the ransom demands," Mitchell said at the press conference.

Since New Bedford first detected the ransomware attack on July 5, its management information systems department has completely rebuilt its server network, restored most software applications and replaced all of the computer workstations that were affected, the mayor said on Wednesday.

A total of 158 computers were affected by the Ryuk ransomware attack, or roughly 4 percent of the 3,500 desktops and laptops used by city employees, Mitchell said. New Bedford has a population of about 95,000.

Quick Detection and Response

Mitchell said several factors helped the city keep the ransomware from spreading further within its network.

For example, the mayor noted that because the attack happened over the July 4 holiday, many city employees were not working, which helped contain the attack. In addition, the city's infrastructure is compartmentalized, which also helped keep the ransomware from spreading.

"The city's computer network was compartmentalized to a certain degree, so key departments were either spared from being identified and targeted by the virus or were quickly protected by being disconnected from the network," the mayor said, according to a transcript of the conference provided by the South Coast Today website.

The mayor explained that after the IT staff returned from the holiday break, they noticed unusual network activity, which prompted the IT director to shut down systems to keep the ransomware from spreading further.

During the attack, Mitchell noted, none of the city's emergency services were disrupted. The city's financial management system, however, was unavailable for some time.

Demand for Ransom

As IT staff worked to restore systems, Mitchell and city officials were engaged in discussions with the attackers.

"The attacker responded with a ransom demand, specifically that it would provide a 'decryption key' to unlock the encrypted files in return for a bitcoin payment equal to $5.3 million," Mitchell said.

When the city made the counter offer of $400,000, which was what New Bedford's cyber insurance would cover and was in-line with ransoms paid after attacks in Florida and Georgia, the attackers stopped communicating, which meant the IT department was left to recover and rebuild its systems through back-ups, Mitchell notes.

As New Bedford continues to recover from the attack, Mitchell noted, the city has started to add more security around its endpoints to help mitigate the impact of another incident.

The city is also providing legal notices to local residents in the event that any personal data was exposed, although it's not clear at this time if any data leaked due to the ransomware attack, the mayor said.

"While the city remains unaware of any theft of data by the attackers, the encryption of certain log data prevents us from completely ruling out access to any specific personal data," Mitchell said.

Should Cities Pay Ransom?

Cities across the U.S. have struggled with the decision of whether to pay a ransom to recover their data and IT infrastructure after an attack.

The FBI discourages the payments of ransoms because it could encourage additional attacks.

In July, the U.S. Conference of Mayors adopted a resolution encouraging local elected officials not to pay out ransom during these types of attacks.

That same month, Lake City, Florida, voted to authorize the municipality's insurance carrier to pay 42 bitcoins, or about $530,000, to ransomware attackers.

Best Practices

Sam Curry, the chief security officer at security vendor Cybereason, tells Information Security Media Group that New Bedford appears to have followed best practices for limiting the impact of a ransomware attack.

"The key capabilities should be to identify ransomware early, to limit its spread, to recover data from backups, to resume operation, and to prevent re-infection," Curry says. "If we can reduce the recovery time to zero, we won't need to pay ransoms; we will be able to ignore them. We aren't there yet. But we can work on getting closer."

About the Author

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at IDG, Business Standard, Bangalore Mirror and The New Indian Express, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;